Re: Attempts to push spam through apache

From: Andy Smith (wasmith32_at_earthlink.net)
Date: 08/22/04

  • Next message: Gabriel Orozco: "Re: Attempts to push spam through apache"
    Date: Sat, 21 Aug 2004 23:36:07 -0500
    To: "Peter H. Lemieux" <phl@cyways.com>
    
    

    If the machine was compromised once then it is likely published
    somewhere...if you are lucky. If you are not lucky then someone has
    managed to install something more stealthy and evil than an IRC proxy.
    Taking the machine down to bare metal might not be a bad idea. If at all
    possible change the IP and DNS names whether it is nuked and paved over
    or not. The log entries could mean nothing, or they could mean something
    nasty is lurking on the box. IMHO you have to assume the latter.

    Regards,
    Andy

    Peter H. Lemieux wrote:
    > My apache logs are recently full of entries like these:
    >
    > 211.100.24.173 - - [19/Aug/2004:21:03:48 -0400] "CONNECT 208.17.33.40:25
    > HTTP/1.0" 200 1844
    >
    > Obviously this is an effort to pump spam through my server to
    > 208.17.33.40. There are many other target addresses as well.
    >
    > If I telnet to port 80 and enter the HTTP command
    >
    > CONNECT 208.17.33.40:25 HTTP/1.0
    >
    > the server replies with the 1844-byte home page of this site, as
    > indicated by the "200 1844" part of the log entry. As far as I can
    > tell, this means that these exploit attempts only get a web page in
    > reply and are not able to push the spam through to the intended target.
    >
    > I don't have mod_proxy enabled or anything else that would enable
    > proxying to work. Are these just random spammer attempts to find an
    > open proxy? The fact that there are nearly 35,000 (!) such entries over
    > the past few days suggests that the spammer, or the spammer's software,
    > thinks this exploit is succeeding. How can I be sure that it's not?
    >
    > I've blocked the 211.100.24.0/24 subnet for now, but I'd like to be
    > certain that others can't use the same exploit. I tried a variety of
    > Google searches but haven't found a useful page to read on this subject.
    >
    > Some months ago someone used the recent mod_ssl vulnerability and
    > managed to install an IRC proxy on this server. However I fixed those
    > problems at the time, and there's no evidence that any unauthorized
    > programs, e.g., proxies, are now running. (No, there are no rootkits
    > installed, nor is the ps binary compromised, etc. I'm well aware of
    > such possibilities.) Perhaps the machine was just added to a list of
    > potentially vulnerable servers, and someone else is trying to take
    > advantage of me, even though it's no longer possible?
    >
    > FWIW, I'm running Apache 1.3.27 on RedHat 7.3, but I'd guess these types
    > of exploits only work if there is an open http proxy available, no?
    >
    >
    > Peter
    >
    >

    -- 
    --------------------------
    Andy Smith, MCP
    wasmith32@earthlink.net
    --------------------------
    

  • Next message: Gabriel Orozco: "Re: Attempts to push spam through apache"

    Relevant Pages

    • Re: New Event Log Errors!
      ... Somehow along those lines I'd also installed the Certificate Authority ... Did you apply the last Server Pack for SBS Server? ... Please install Windows Support Tools on the win2k3 sp1 problematic ... Microsoft is providing this information only as a convenience to you: ...
      (microsoft.public.windows.server.sbs)
    • Re: Cannot activate SBS 2003 SP2
      ... everywhere and sitting on the case of the server is the old board - balanced ... slip stream SBS you would have had it ages ago. ... My main reason for slipstreaming the install is because I cannot get ... updates that need to be applied if one is to have a succesful outcome ...
      (microsoft.public.windows.server.sbs)
    • Re: Cannot activate SBS 2003 SP2
      ... everywhere and sitting on the case of the server is the old board - balanced ... slip stream SBS you would have had it ages ago. ... My main reason for slipstreaming the install is because I cannot get ... updates that need to be applied if one is to have a succesful outcome ...
      (microsoft.public.windows.server.sbs)
    • Re: Cannot activate SBS 2003 SP2
      ... the old array was a raid 5 that should not have become so rooted but the twit who built the server did not actually enable the spare drive to act as a spare!! ... The problem is SBS is unique and I've rarely if ever seen it work. ... The server has been chugging away in a small business environment for several years and I have administered it for them for about a year making sure that the updates were installed and their mailboxes were managed etc etc. ... My main reason for slipstreaming the install is because I cannot get the original 2003 server install to cope with the new hardware and it falls over part way into the install - BSOD bit. ...
      (microsoft.public.windows.server.sbs)
    • unsubmit
      ... Using a development server also [Roberto ... Can't find cable Internet connec [Roberto ... You can fix that manually by 'apt-get install ... > development machine, so if the production server goes down, we can ...
      (Debian-User)